Your school or workplace may require you to change your password every couple months or so to keep your account safe. It’s a widely-implemented security recommendation.
Except it’s totally wrong.
The Federal Trade Commission’s chief technologist, Lorrie Cranor, busted that myth earlier this week, at a security conference in Las Vegas.
Turns out, requiring periodic password changes could end up making your password less secure. The reason is that when most people are required to change their password, they end up using their old password, but they make a small change.
They might change a lowercase letter to an uppercase letter. Or they might add an extra letter to the end. Researchers call these little tricks “transformations,” and hackers are very aware of them.
So real-world password crackers build these predictable transformations into their scripts and cracking routines.
“UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor said, according to Ars Technica. “They take their old passwords, they change it in some small way, and they come up with a new password.”
Cranor is citing UNC research from 2010 that looked at a dataset of 7700 accounts that were required to change their passwords regularly.
Security expert Bruce Schneier agrees. “I’ve been saying for years that it’s bad security advice, that it encourages poor passwords,” he wrote on Friday.
That doesn’t mean it’s never a good idea to change your password. If your password is part of a major breach, like the one that struck LinkedIn, and you reuse it on other sites (which you shouldn’t) then of course you should change it.
The best practices for picking a secure password change from time to time, and I’m not a security expert. Generally, you want your password to be long and random. Schneier has good advice here and this webcomic suggests a easy-to-remember system.